Corporate Security Metrics - Key Performance Indicators

Organizations must measure performance at some level to gauge whether they are performing optimally or not. Most organizations expect individual business functions will be measured for their performance toward desired goals and objectives. This is where key performance indicators (KPI) comes in to play. A KPI is a type of business metric that is used to measure the performance of a process that is deemed crucial to the success of the organization.

So far so good, but this may cause consternation among those responsible for identifying KPIs for corporate security functions. How do you go about identifying KPIs for security?

The first step is defining the goals of the security program being measured. It is critical that they actually align with and support the organization’s goals. This process includes understanding what is genuinely essential to enabling the business to function optimally. Next is identifying relevant metrics and then winnowing that list down to those metrics that are measuring elements that truly convey performance toward the specified goals.

The selection of KPIs can be an iterative process where selected metrics change over time as more is learned about the process being measured or even as a result of changes made to the process as a result of collecting the metrics in the first place. For example, a selected metric may help identify problems that need to be corrected within the process being measured, or a selected metric may lead to poorer overall performance because of some "gaming the metric" that subsequently takes place.

Even among similar security programs, selected KPIs may be different when comparing one organization to another. This is because the organization’s goals may not be the same, or what they deem crucial is different due to diverse management styles or organizational cultures.

The following PDF provides some examples of security KPIs that you can use to help generate ideas for identifying performance metrics to use for your security services and programs.